The document discusses future directions for identity management and electronic identification (eID). It notes growing demand for identity assurance globally due to increasing regulations, digital payments, and cross-border interactions. Several countries have implemented national eID systems with varying levels of assurance and functionality. High assurance eIDs that can be used across borders and support commercial processes are most valued. Moving eIDs to mobile could reduce costs and open opportunities. National eID programs should focus on level 3 or 4 assurance for high value, functionality, and future interoperability.
2. Social Norms
• We have social norms
of behaviour built over
millennia
• Society runs on trust =
• We act in groups
– Individually
– Organisationally
– Nationally
– Internationally
• Disruptive change
– Villains
– Heroes
2
3. Biggest problem – Tower of Babel
• We are all affected
by the same things
• Laws of physics still
the same
• Yet… A gazillion
point solutions
• Darwinian outcome
certain:
– Centralise; or,
– Interoperate
• Follow the herd
• VHS vs Betamax
3
4. eIDAS history
• European Digital Agenda Key Points 3 and 16
• EU WG to develop an EU Citizen eID specification
• DG HOME Expert Group on ID Fraud. Europol reports
ID Fraud top enabler of crime. Council action requested.
• Ad hoc eID tech demonstrators leading to STORK
• STORK large scale pilot
• DG CONNECT project to develop eID interop policy
• eIDAS Regulation published. Compliance by Sep 2017.
• Comparisons with international standards and
regulations.
4info@bbfa.info
5. Legislation
• eIDAS. eID Authentication & Digital Signature Regulation
– Citizen eID recognised in all Member States for public purposes
• NISD. Network Information Security Directive
– Data breach notification to regulators and EU
• GDPR. General Data Protection Regulation
– Pseudonymity
– Preventing a person becoming identifiable
• 4th Anti Money Laundering Directive
– Customer due diligence checking requirements, reporting suspicious
transactions, maintain records of payments, combat money laundering & terrorist
financing activities
– Registers for beneficiary traceability
• Payment Services Directive 2 (PSD2)
– Expands use of digital payments and cross-border payment flexibility
– Expanded scope. Includes new digital payment services
– New security, insurance and due diligence requirements
5info@bbfa.info
6. 6
Citizen Consumer
Employee - IndustryEmployee - Gov
4 Contexts of Identity
Plus:
•Device ID
•Organisation ID
•Software Authentication
•Data Authentication
8. The Basic Electronic Credential Lifecycle*
Sponsorship Application
Initial
Verification
Proofing
documents
Full
Verification
Registration
Approve
?
Provisioning
Order
credential
Data
preparation
Data transfer
Print
credential
Data injection
into chip
Enrolment
Validation &
Quality check
Secure
transport
Customer
notification
PIN issuance
Customer
receipt
Authenticate
User
Authenticate
credential
Activate
credential
Issuance
Interview
Suspend
Revoke
Use
Manage
Use
(See Trust Framework)
Destroy
Renew
?
Stop
N
Y
Restart
(point
depends on
policy)
* Ignores supporting information management
9. Governance
• Community of trust. Transparency
• Shared objectives
• Collaborative governance of risk stakeholders
• Liability model
• Six elements
– Policy Management Authority & Technical Design Authority
– Trust Operations
– Assurance
– Enforcement and trust repair
– Company responsibilities
– Community & stakeholder management
9info@bbfa.info
10. info@bbfa.info
Levels of Assurance
We need to identify ourselves to others, and vice versa, in a
wide range of situations and particularly for electronic
activities, which may require different Levels of Assurance.
1. LoA 4. Extra measures. 3 factor authentication (with second
biometric). Strong hardware token. Optional federated Physical
Access Control. Used in highly secure situations.
2. LoA 3.. High confidence in identity. Legally robust non-
repudiation. 2 Factor Authentication E.g. employee
authentication, digital signature, ID based encryption, secure
email.
3. LoA 2. Some confidence of Identity. Expect some failures.
Financial liability model E.g. credit cards, Know Your Customer.
4. LoA 1. Self assertion. E.g. mickey.mouse@microsoft.com.
4
Levels
Of
Assurance
12. 12
Citizen
Consumer
Employee - Gov Employee - Industry
9/11
HSPD 12
FIPS 201 - PIV
FIPS 201 – PIV -
Interoperable
ITU-T/ISO
24760/29115
Supply chain
collaboration
CertiPath/SAFEBioPh
arma
Kantara Initiative
Identity Assurance
Framework
Borders
Police
NATO
SESAR
Legal
Energy
Pharma
Aero
space
3
4
3
4
1
2
Hardly used = weak
business case?
OIX
Google
Facebook
1
1
Credit
cards
HACC?NFC??
2
3
2
3
US NSTIC ?
Good Federation
13. 13
British Business Federation Authority -
office@federatedbusiness.org
13
Potential Gov & Ind CSPs
EADS/Cassidian, Citi, Entrust,
SAFE/BioPharma, Symantec,
Trustis
Early Adopters
Cross Certified Orgs:
MOD
NHS
NPIA/Police
DWP+
LoA 2+
Brokers
CertiPath
Aero/Def
UK PKI
Bridge
SAFE-
BioPharma
Potential UK CSPs:
Citi, EADS, Entrust,
Symantec,
(Emerging
Bridge)
Level 3+ Identity Federations (PKI) - a UK
perspective
Potential UK CSPs:
Citi, EADS, Entrust,
Symantec,
Verizon Business+
Other Potential National Bridges
or CAs:
USA, Australia, Canada, NZ, NL,
BE, FR, DE, IT+, NO, SWE, ESP
Interpol, EU, NATO
Any nation could put
itself at the centre…
14. Some EU National e-ID initiatives
Nation Name Purpose Population LoA Biometrics Features Remarks
Estonia ID E-gov, Societal 1.3 M + 4 Face Auth, Sign,
Encrypt
Estonia E-residency E-gov & business 8M target 3 Nil Auth, Sign,
Encrypt
10 k today
Belgium .beID Societal 12 M 3 Face Auth, Sign,
Encrypt
Germany Personal
ausweis
E-gov 80 M + 3/4 Face Auth, Sign,
Encrypt
Low adoption
of eID
France France
Connect
E-gov Starting 2/3? ? ?
UK Verify Limited E-gov 50 M 2 Nil Auth 333 k
1.5 uses/year
Austria Personal
ausweis
E-gov 10 M 3/4 Face Auth, Sign,
Encrypt
NL DigID E-gov 12 M 3 Face Auth, Sign Tax only
Malta E-ID E-gov 400 k 3 Face Auth Voting
Ireland ID card Travel 5M 3 Face Auth Requires
passport
15. Lessons
• Top Lesson. Be clear – is the e-ID to benefit the government or the
nation? Legal, benefit and business models are very different.
• Cards for e-Gov have a low adoption & usage rates and little value.
People forget where they are and how to use them. Gov unable to
achieve major savings and have to maintain manual systems
• Cards for societal use have reasonable adoption and use, but benefits
are not significant
• Cards that assist commercial processes (e.g. KYC, AML, company
management, contract signing, power of attorney) are highly valued and
used.
• Cards that can be used across borders are more valued. (High
demand for Estonia e-Residency card). Other nations thinking of
following Estonian model.
• Move to mobile will open more opportunities, reduce operating costs
and be more secure. Opportunity for the ID to make money.
15info@bbfa.info
16. Other National e-ID initiatives
Nation Name Purpose Population LoA Biometrics Features Remarks
Malaysia My Kad E-Gov, societal,
bank, email
30 M 4 Face, finger Auth, sign,
encrypt
1st e-ID
NZ RealMe E-Gov, online
services
5 M 3 Face, (video) Auth
Japan My Number E-Gov 130 M 3/4 Face, ? Auth, ? Disaster
services
Korea (New
project)
E-Gov 40 M 3/4 Face, ? Auth, sign,
encrypt
Resident
Registration
Number fraud
Singapore E-IC e-Gov, societal,
bank
5 M 3/4 Face, ? Auth, sign,
encrypt
Design stage
Nigeria e-ID E-gov, societal 180 M 4 Face, finger Auth, sign,
encrypt
Agricultural
subsidy fraud
Kenya (new project) E-Gov 44 M ? Face, finger
India Aadhar Societal 1 bn + 3/4 Face, Iris,
retina
Auth, Sign,
Encrypt
Largest
deployment
US NSTIC Industry-led
societal
? 2/3 ? Auth Online only.
Pilots
US 18F E-gov 300 M 3/4 Face, finger,
?
Auth, Sign,
Encrypt
Design stage
China Starts 2017 E-Gov or societal 1.4 bn 4 Multiple Auth, ?? Counter fraud
17. Lessons #2
• Top lesson. Go to LoA 3 or LoA 4.
• US. Started with Federal & business high assurance
PKI. NL followed suit.
• NZ. Focusing on identity proofing and biometrics
• Industrial Asian countries are mainly LoA 4, which allows
for high interaction between society and business.
– S. Korean Government and industry PKIs are cross-certified (like
NL and EE)
– China expanding its PKI. Over 800 Certificate Authorities today
– Malaysia PKI for business, links to government
– Kenya is likely to expand its MPESA network to support a new e-
ID.
17info@bbfa.info
18. National e-ID Choices
• Scope
– Nation-born citizens
– Naturalised citizens
– EU nationals
– EEA
– Foreign nationals
– Refugees
• Age - Children, old persons
• Functions
– Authentication, signature, encryption
– Proxy, Power of Attorney
– Financial, wallet
• Use cases
– E-gov, tax, pensions & benefits
– Health and patient records
– Payments
– Transport
– Travel & border control
18info@bbfa.info
Key points
• Trade Off
– High LoA: High value,
functionality, use cases,
interoperability, future proofing,
reduced risk. But high cost.
– Low LoA: Limited use, value
and future. Can’t interoperate.
Not trusted. High risk but
cheap. Liability issues.
• Leading nations are basing
digital innovation on high
assurance e-ID
19. 19info@bbfa.info
HMG Office of
Government
Science report for
UK Prime Minister
Published
19 Jan 2016
Two ministers
leading in HMG
Industry
collaboration
NL and EE
participation
starting
Identity & Access
Management
essential
20. eResidency has huge potential!
• It’s a step ahead of everyone else
• What does it need to do to remain ahead?
20info@bbfa.info
21. 10 Major Conclusions
1. Innovate – Clear goals. Learn through success & failure. Use case driven -
follow the money. First mover advantage. Make eResidency an eID? More
functions?
2. Accelerate – Focus, speed and scale. Smart phones and block chains
3. Differentiate – cross-border e-IDs support high assurance e-IDs in chains of
trust, leveraging national e-IDs
4. Federate – with other high assurance IDs
5. Interoperate - data, policy, system interoperability. Re-use. Standards
6. Collaborate – 98%+ of transactions involve industry
7. Communicate – create a community and executive awareness
8. Coordinate – with others
9. Mitigate – Collaborative risks. Brand protection
10. Regulate – privacy and public safety
21info@bbfa.info